It has been ten days since the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released the long-anticipated HIPAA Omnibus Rule modifying privacy, security, enforcement and breach notification under HIPAA. The Omnibus is actually four final rulings in one. Read Carolyn Hartley’s initial overview of these new rulings. The final rule brings with it many questions from both providers (covered entities) and business associates, five of which are answered here by Doug Pollack of ID Experts.
1. The HIPAA Omnibus Rule has been in the works for several years now and modifies the HIPAA Privacy & Security Rules passed as part of the HITECH Act. Can you tell us why modification was needed?
To clarify, the HITECH Act was a piece of legislation that required the rulemaking body, the U.S. Department of Health and Human Services Office for Civil Rights (OCR), to update HIPAA Privacy and Security Rules to comply with provisions of the Act. For example, there were provisions in the law that required updates to the Security Rule requiring not just HIPAA covered entities but also HIPAA business associates to be in compliance with the rule and be subject to fines and penalties for potential negligence for non-compliance. The HIPAA Omnibus Final Rule also clarified language from the Interim Final Rule in order to clarify that downstream contractors from business associates that touch protected health information (PHI) will also be considered business associates.
2. When does the HIPAA Omnibus Rule go into effect for Covered Entities and Business Associates?
This final rule is effective on March 26, 2013. Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013. Until then, they must comply with the Interim Final Rules as published.
3. We’re reading the HIPAA Omnibus has brought “sweeping changes” to HIPAA privacy and security enforcement. Can you give us a brief rundown of a few of the of key compliance issues contained in the final rule?
Sure. One compliance issue with significant changes in the rules is breach notification. There is a requirement that for every data security incident involving PHI, the entity would conduct an incident risk assessment in order to determine the probability that the information was compromised. The rules lay out objective measures for carrying out this assessment covering four factors that must be evaluated. So for instance, if an entity has an incident and its risk assessment concludes that there was a very low probability of compromise of the PHI, it could chose to not notify the affected individuals or OCR. However, the rules require that the entity maintain a “burden of proof,” if its conclusions are called into question. So for instance, if OCR investigated the covered entity, it would be required to provide conclusive documentation of its incident risk assessment and analysis as to why the incident did not result in a “compromise” of PHI. If the entity doesn’t meet that burden of proof, it could be found to have been negligent in not notifying the affected individuals and subject to substantial fines, penalties, and corrective action.
Other compliance issues in the HIPAA Omnibus include the requirement that healthcare organizations be able to provide patients with copies of their electronic medical records, upon request; compliance with new restrictions on the “sale” of PHI and associated patient consent; the need for business associates to comply with all of the rules, including downstream contractors that may not have been considered business associates in the past; and compliance with GINA, the Genetic Information Non-discrimination act, which restricts disclosure and use of such information for underwriting purposes, among others.
4. How will the HIPAA Omnibus rule impact providers handling of personal health information (PHI)?
The Final Rules reiterate the importance that healthcare providers meet stringent requirements for patient privacy and data security. Today, however, their financial exposure has grown, given the aggressive enforcement posture that OCR has adopted towards organizations that have lax privacy/security postures. The most significant clarification in the rules in this regard is related to patient access. Patients will now have the right to get electronic copies of all of their electronic medical records upon request. In the past, providers’ policies in this area have varied significantly.
5. Finally, what sort of challenges do you anticipate for providers meeting the new compliance requirements in the HIPAA Omnibus final rule?
I see one of the greatest challenges is being methodical in carrying out the required privacy and security risk analyses, and rigorously documenting the results and their remediative actions. A recent survey indicated that a majority of hospitals haven’t done a security risk assessment in the last year. There will be little tolerance for that level of neglect going forward.
A second key challenge for providers will be putting in place the appropriate operational mechanisms (policies, procedures, methodologies) for carrying out the security incident risk assessments that are required in the Breach Notification Rule, and documenting their results in such as way as to maintain a burden of proof that will stand up to an audit or investigation by OCR.
Doug Pollack, CIPP, is chief strategy officer at ID Experts, responsible for strategy and innovation including prevention analysis and response services. As a veteran in the technology industry, he has over 25 years of experience in computer systems, software, and security concerns focusing on creating successful new products in new emerging markets. Prior to ID Experts, he held senior management roles at Digimarc, several successful software startups, 3Com Corporation and Apple, Inc. Doug holds a BSEE from Cornell University and an MBA from the Stanford Graduate School of Business.
For those entities not yet compliant, ID Experts offers ID Experts RADAR™, an online incident management software already in use by covered entities nationwide to perform incident risk assessment as prescribed in the Final Rule.